Transcription
Technical Proposal Template forHuawei USG6000Issue01Date2017-03-14HUAWEI TECHNOLOGIES CO., LTD.
Copyright Huawei Technologies Co., Ltd. 2017. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.Huawei Technologies Co., Ltd.Address:Huawei Industrial BaseBantian, LonggangShenzhen 518129People's Republic of awei.comHuawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.i
Technical Proposal Template for Huawei USG6600ContentsContents1 Overview . 11.1 Network Security. 11.2 Threat Management . 11.3 Network Security Management . 21.4 New Threats on Networks. 22 XX Enterprise Network Analysis . 32.1 Status Quo of XX Enterprise Network. 32.2 Service Traffic Analysis of XX Enterprise Network . 32.3 Network Security Problems and Analysis for XX Enterprise . 33 Network Security Requirements of XX Enterprise . 53.1 Network Security Design Principles for XX Enterprise. 53.2 Network Security Requirements of XX Enterprise. 64 Huawei Network Security Solution . 74.1 Network Security Solution for XX Enterprise. 74.1.1 Border Protection for Large and Medium-sized Enterprises . 74.1.2 Intranet Control and Security Isolation . 94.1.3 Border Protection for IDCs .104.1.4 VPN Remote Access and Mobile Working . 114.1.5 Cloud Computing Gateway Protection Solution .124.1.6 MPLS VPN Solution .134.1.7 IPv4-to-IPv6 Transition Solutions .144.2 Network Security Device Selection for XX Enterprise.145 Features of the Security Solutions . 155.1 Service Traffic Analysis of XX Enterprise Network .155.2 Advantages of XX Enterprise's Network Security Solution .156 Huawei USG Series . 166.1 USG Overview .166.2 Functions .166.2.1 Complete Security Functions Inherited from Traditional Firewalls .166.2.2 Advanced Content Security Defense.226.2.3 Flexible User Management .28Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.ii
Technical Proposal Template for Huawei USG6600Contents6.2.4 Fine-grained Traffic Management .296.2.5 IPv6 .296.2.6 Diversified VPN Access Modes .306.2.7 Virtual Firewall.316.2.8 Interworking with the IDS .326.2.9 Diversified Logs and Reports .336.2.10 Flexible Device Management .336.2.11 Test and Authentication Compliance .347 Huawei Service . 357.1 Service Concepts .357.2 Service Content .357.3 Service System .35Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.iii
Technical Proposal Template for Huawei USG66001 Overview1OverviewThe popularity of the Internet has immensely boosted society development while causing lotsof network security issues. Security has become a common concern among enterprises andorganizations in finance, education, power supply, and transportation fields. Network securityissues are about the security of networks and network security management. As the Telecomnetwork evolves towards integration, openness, and broadband, the Telecom networkbecomes larger and more complex and faces various network security threats. Networksecurity events occur frequently, such as virus, worms, malicious codes, web page tempering,and spam. Government websites are usually attacked. The single attack defense technology onthe traditional firewalls cannot defend against the preceding threats.Therefore, the Next-generation Firewall (NGFW) is developed to defend against thepreceding threats. The NGFW uses the dedicated multi-core architecture platform andintegrates IPS, antivirus, URL filtering, VPN, DLP, firewall functions, and Internet accessbehavior management. The NGFW implements the hierarchical threat defense solution.1.1 Network SecurityThe Internet is vulnerable to attacks due t its openness. With attacks varying, attacking toolsspreading, and Botnet/DDoS attacks emerging, the network layer is facing endless attacks.These attacks include ARP Flood attacks, ICMP Flood attacks, IP Spoofing attacks, UDPFlood attacks, Synflood attacks, Smurf attacks, Land attacks, oversize ICMP packet attacks,Fragile attacks, Ping of Death attacks, Tear Drop attacks, Ping Scan attacks, Port Scan attacks,IP source routing option attacks, and sniffing through tracert.The network-layer attacks include bandwidth attacks, host or network device attacks, and hostscanning attacks. Bandwidth attacks indicate that a great deal of attack data uses thebandwidth of normal service data, causing a feature to process the normal service data. Hostor network attacks indicate that attackers attack an application interface of a host or networkdevice, causing the host or network device to break down or fail to process normal servicedata. Host scanning indicates that hackers use IP sweeping or port scanning to obtain hostinformation from network activities before intrusion.1.2 Threat ManagementIncreasingly complex threats, high regulation requirements, and constant applicationdevelopment bring new network security problems to enterprises. Threat complexity bringsHuawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.1
Technical Proposal Template for Huawei USG66001 Overviewmore vulnerabilities to new applications and technologies and challenges to IT managers. Theunified threat management platform provides a comprehensive security solution designed towork ahead of the threat.1.3 Network Security ManagementNetwork security management indicates that enterprises implement security zone and leveldivision for their network sources. Network security management ensures secure networkoperating and improves enterprises' information security management. A security zone is a setof hosts that have the same network resource access permissions. Security zone divisiondepends on enterprise department division. For example, security zones of different securitylevels are assigned for the financial department, R&D department, and marketing department.Security zone division for an enterprise simplifies network resource control and management.Then security policy management that meets enterprise management requirement isimplemented to improve enterprise information security management.1.4 New Threats on NetworksDiversified new applications bring convenience to human life as well as more security risks.1.The identity of the user at an IP address is unclear.On new networks, attackers easily manipulate zombie hosts to use legitimate IPaddresses to launch network attacks, or forge source IP addresses for spoofing andobtaining permissions. The source IP address of a packet does not represent the useridentity. In addition, teleworking and mobile working have emerged. The IP address of auser may change at any time. Traffic control by IP address cannot meet the networkrequirements.2.The port and protocol of an application are not fixed.Traditional network services run on fixed ports. For example, HTTP runs on port 80, andFTP runs on ports 20 and 21. On new networks, ports that are not assigned by theInternet Assigned Numbers Authority (IANA) and random ports (for example, P2P ports)are frequently used by network applications. These applications are hard to control,exhaust bandwidths, and even cause network congestion.Meanwhile, well-known ports are used by unfixed services. With the development ofweb page technologies, more and more services with different risk levels run on ports 80and 443 using HTTP and HTTPS, for example, WebMail, web page gaming, videowebsite, and web page chatting.3.The packet content is uncertain.Single-packet detection mechanism can analyze only the security of individual packets.This mechanism cannot defend against viruses or Trojan horses during a normal accessprocess. During the Internet access, intranet hosts may introduce worms, Trojan horses,and viruses unconsciously, which result in information leaks and losses. Therefore,network security management must identify and monitor the traffic contents, in additionto traffic control based on the source and destination IP addresses.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.2
Technical Proposal Template for Huawei USG660022 XX Enterprise Network AnalysisXX Enterprise Network AnalysisThrough communication with XX enterprise, we have a deep understanding and analysis of itsnetwork.2.1 Status Quo of XX Enterprise NetworkThis section consists of two parts. (Note: The network throughput shall be provided):1.Intranet topology of XX enterprise: You must provide the network topology withoutsecurity devices if the enterprise network is newly built. This topology will be used toanalyze the security solution.2.Services carried by the intranet of XX enterprise, namely, internal services and egressnetwork services.2.2 Service Traffic Analysis of XX Enterprise Network[Provide service traffic analysis diagram of the live network so that customers have a moreclear understanding of network security problems.]2.3 Network Security Problems and Analysis for XXEnterprise[This section includes the following parts (based on communication with customers and ouranalysis):1.Security risks of the XX enterprise network egress: DoS attacks and port scanning2.Security zone division of XX enterprise intranet: security network resource permissionmanagement for different departments3.Server protection for XX enterprise: FTP, web, mail, and database server protection forthe DMZ4.Security threats to XX enterprise network services: It is necessary to filter the services invarious security zones and diversify enterprise management means.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.3
Technical Proposal Template for Huawei USG66002 XX Enterprise Network Analysis5.Need of NAT function: As a professional NAT device, the gateway delivers excellentperformance, flexible NAT functions, and diversified NAT ALGs.6.Access of mobile employees: The gateway provides a great diversity of VPN accessmeans and enables secured access to internal resources from extranets.7.Intrusion risks of XX enterprise: Interworking with most IDSs in the industry implementsintrusion detection.8.After-event tracing of the XX enterprise network: Because the NAT function hides theinternal network structure, after-event tracing will be extremely important when a socialsecurity event takes place during the access to the external network. The USG5300provides a dedicated log server to log mappings between public and private addresses inbinary format. NAT logs provide a technical means for event audit.]Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.4
Technical Proposal Template for Huawei USG660033 Network Security Requirements of XX EnterpriseNetwork Security Requirements of XXEnterprise[This chapter briefs and analyzes the network security problems of XX enterprise. Thoroughcommunication with the customer and our analysis reveal that XX enterprise requires networkattack defense, security zone division, and NAT ]3.1 Network Security Design Principles for XX EnterpriseBased on the requirements of enterprise XX for network security and Huawei experience innetwork security, we propose that the network security design of XX enterprise must stick tothe following principles:1.Advancement: Security devices deployed in XX enterprise network must use thededicated hardware platform and secure and professional software platform to ensuredevice security, which conforms to the technology development trend in aspect ofadvancement and maturity in the industry.2.High availability: The network of XX enterprise is the basis for informatization of theenterprise and therefore is of vitality. Deployed at key nodes, network security devicesplay important roles in network stability. High availability must be considered during thenetwork design.3.Scalability: The fast development of XX enterprise and its changing network require thatthe entire network be flexible and scalable, especially for new security zones andsecurity zone expansion.4.Compatibility: The design standards and technical specifications of XX enterprise'ssecurity products comply with international and industry standards. XX enterprise'ssecurity products are compatible with products from many peer vendors, which helpsXX enterprise maximize return on investment (ROI).5.Minimum authorization: Security policy management of XX enterprise must complywith the minimum authorization principle. To be specific, hosts in given security zonescan access only authorized resources. Resources in XX enterprise must be under controland are inaccessible to unauthorized terminals to secure the enterprise.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.5
Technical Proposal Template for Huawei USG66003 Network Security Requirements of XX Enterprise3.2 Network Security Requirements of XX EnterpriseDeploy a gateway to satisfy the following requirements of XX enterprise (list the requirementsbased on the network problems and analysis of XX enterprise):1.Security zone division: assign the financial department, R&D department, marketingdepartment, and production department to different security zones.2.Network attack defense: enable network attack defense at the network egress to preventattacks from extranets and between security zones to prevent spreading of networkattacks among different departments. ]Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.6
Technical Proposal Template for Huawei USG660044 Huawei Network Security SolutionHuawei Network Security Solution4.1 Network Security Solution for XX EnterpriseChoose one solution or a combination of solutions based on the analysis of XX enterprise'srequirements.4.1.1 Border Protection for Large and Medium-sized EnterprisesFigure 4-1 Typical networking of border protection for large and medium-sized enterpriseseSightFile server Mail server Web serverVPN tunnelDMZMobileemployeeVPN tunnelOfficenetworkBranchofficeUSGs thatimplement hotstandbyTrustUntrustPublicnetwork/serverLarge and medium-sized enterprises have following service features: Large number of employees (over 500), complex services, and various flows Services available to external users, such as website and mail services Exposure to DDoS attacks and great losses after the attacks succeedHuawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.7
Technical Proposal Template for Huawei USG6600 4 Huawei Network Security SolutionHigh requirements on device reliability for service continuity when traffic is heavy oreven the device is faultyThe USGs that act as egress gateways of a large and medium-sized enterprise provide thefollowing functions: Assign the employee network, server network, and Internet into different security zonesand configure security policies to inspect the traffic transfer between security zones. Implement the content security defense function based on the services to be provided toexternal users. For example, file blocking and data filtering are enabled on the file serverin the preceding figure, mail filtering is enabled on the mail server, and antivirus andintrusion prevention are enabled on all servers. Implement URL filtering, file blocking, data filtering, antivirus, and application behaviorcontrol to defend against Internet threats and prevent information leaks, which ensuresnetwork security. Establish VPN tunnels with the devices of mobile employees and branch offices forsecure communication with the headquarters across the Internet. Implement the anti-DDoS function to defend against heavy-traffic attacks launched byextranet hosts, which ensures the normal operating of services. Apply bandwidth policies to traffic between the intranet and extranet to control thebandwidth and number of connections, which avoids network congestion and defendsagainst DDoS attacks. Communicate with the eLog server (to be purchased independently) that records logsabout network operating. The logs help administrators adjust configurations, identifyrisks, and audit traffic. Implement hot standby to improve system availability. When a single-point fault occurs,service traffic can be smoothly switched from the active device to the standby device toensure continuity.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.8
Technical Proposal Template for Huawei USG66004 Huawei Network Security Solution4.1.2 Intranet Control and Security IsolationFigure 4-2 Typical networking of intranet control and security artmentProductionServer areaServerR&Ddepartment 1USGEgressgatewayR&Ddepartment 2ResearchUntrustIntrazone trafficInterzone trafficSecurity levels are assigned to the subnets of the intranet of a large or medium-sizedenterprise. For example, the USG isolates the R&D network, production network, andmarketing network and monitors traffic among the networks to: Take different security measures for the service types and security risks of the networks. Control traffic among the networks to avoid information leaks. Isolate networks to prevent the spread of viruses. Divide networks to reduce the detection load and improve the detection efficiency fornetwork connectivity because most traffic is generated within one network and the trafficwithin one network does not require much intervention.The USG that acts as an intranet border device of a large and medium-sized enterpriseprovides the following functions: Isolates networks. Establishes a user management system to control user access permissions. Assigns the networks of the same security level to the same security zone. A few securityfunctions are deployed. For example, R&D networks 1 and 2 belong to security zoneResearch, and the packet filtering, blacklist and whitelist, and antivirus functions can beapplied to the traffic transmitted between the two networks. Assigns networks of different security levels to different security zones. Securityfunctions are deployed based on actual service requirements. For example, only someR&D hosts can access the marketing network, and the antivirus, file blocking, and datafiltering functions are applied between the R&D network and the marketing, production,and server networks.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.9
Technical Proposal Template for Huawei USG66004 Huawei Network Security Solution Applies bandwidth policies to security zones to control the bandwidth and number ofconnections to avoid intranet congestion. Applies intrusion prevention, antivirus, file blocking, data filtering, URL filtering, andapplication behavior control functions between security zones and the Internet.4.1.3 Border Protection for IDCsFigure 4-3 Border protection for IDCsNMS andlog serverDMZHackerWeb serverMail serverFile serverIndividualcustomerUSGs thatimplementhot standbyTrustUntrustEnterprisecustomerInternet Data Center (IDC) is an infrastructure that involves maintenance services to collect,store, process, and send data on the Internet. The IDC is generally constructed by a networkserver provider to provide the server hosting and virtual domain name services for small andmedium-sized enterprises and individual customers.The network structure of the IDC has the following features: Servers in the IDC are protected and security functions are applied based on servicetypes. Servers of multiple enterprises may be deployed in an IDC and are easily taken byhackers as a target. The key function of the IDC is to provide network services for external users. Thenormal access from the Internet to servers in the IDC must be guaranteed. In this case,the border protection device must have high processing policy and comprehensivereliability mechanism and ensure the network access when attacks are launched on theIDC. The IDC traffic is complex. The administrator cannot adjust configurations effectively ifthe traffic is not unclear.The USGs that act as border devices of the IDC provide the following functions: Implement the traffic statistics function to collect statistics on traffic by IP address, users,or application, which helps formulate security policies.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.10
Technical Proposal Template for Huawei USG66004 Huawei Network Security Solution Implement traffic limit by IP address or application to ensure the stable operating ofservers and avoid network congestion. Implement the intrusion prevention and antivirus functions to protect servers fromviruses, Trojan horses, and worms. Implement anti-DDoS and other attack defense functions to defend against attacks fromthe Internet. Implement the mail filtering function to protect mail servers on the intranet from thespam and prevent the servers from being blacklisted by anti-spam organizations due tounintentional spam forwarding. Implement file blocking and data filtering to prevent information leaks. Communicate with the eLog server (to be purchased independently) that records logsabout network operating. The logs help administrators adjust configurations, identifyrisks, and audit traffic. Implement hot standby to improve system availability. When a single-point fault occurs,service traffic can be smoothly switched from the active device to the standby device toensure continuity.4.1.4 VPN Remote Access and Mobile WorkingFigure 4-4 Typical networking of VPN remote access and mobile workingSSL VPNBranchofficeHeadquartersIPSecUSGUSGPartnerL2TP over IPSecUSGNowadays, enterprises generally establish branch offices or cooperate with remoteorganizations around the world. Branch offices, partners, and mobile employees need toremotely access the headquarters. The secure and low-cost remote access and mobile workingcan be implemented using VPN technologies. Remote access and mobile working have thefollowing features: Branch offices need to access the headquarters network seamlessly and implementoperations uninterruptedly. Partners must be flexibly authorized to limit the accessible network resources andtransmittable data types based on services. The locations, IP addresses, and access time of mobile employees are unfixed. Inaddition, mobile employees are not protected by information security measures. Strictaccess authentication must be implemented on mobile employees, and their accessibleresources and permissions must be accurately controlled.Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.11
Technical Proposal Template for Huawei USG6600 4 Huawei Network Security SolutionEncryption protection must be implemented on data of remote access communications toprevent network eavesdropping, tampering, forgery, and replay as well as informationleaks on the application and content planes.The USGs that act as the access gateway of enterprise VPNs provide the following functions: Establish permanent IPSec or L2TP over IPSec tunnels for the branches and partnerswith fixed VPN gateways. If access account verification is required, L2TP over IPSectunnels are recommended. The VPN client or SSL VPN technologies are used by mobile employees with variableaddresses. The VPN client is for free. VPN client installation is not required. Mobileemployees can use only web browsers to establish tunnels with the headquarters, whichis convenient. Meanwhile, resources accessible to the mobile employees are controlled ina fine-grained manner. Apply the IPSec or SSL encryption algorithm to protect network data transmitted overtunnels. Implement access authentication on the users that access using VPN tunnels to ensureuser legitimacy and access authorization based on user permissions. Implement the intrusion prevention, antivirus, file filtering, data filtering, and anti-DDoSfunctions to prevent remote access users from introducing network threats as well asinformation leaks. Implement the user behavior audit function to discover risks in time for future tracking.4.1.5 Cloud Computing Gateway Protection SolutionFigure 4-5 Net
website, and web page chatting. 3. The packet content is uncertain. Single-packet detection mechanism can analyze only the security of individual packets. This mechanism cannot defend against viruses or Trojan horses during a normal access process. During the Internet access, intranet hosts may introduce worms, Trojan horses,
